Preparation. A key component to any meeting and a few weeks ago I failed miserably. I turned up to an important meeting and realised that I left documents which I had needed to sign in my car. It was raining and the car park was a metro stop away.
Luckily, the chap I met printed the documents out during out meeting, I signed and away we went, but it got me thinking .....
Imagine that the documents were a presentation for the meeting that my team and I had created back in the office. I'm stood at reception and I tell the receptionist that I had forgotten my report. I hand her a USB stick with the 'report' and ask if she can open it and print it out for me. In colour, of course.
Here lies the issue: What is the receptionist going to do? How has she been trained?
My report could easily be malware that could infect her PC the minute she opens the document. It's likely the receptionist PC isn't VLAN'd off from the rest of the network so now my application can spread internally and flow from there.
It's quite frightening when you think about it. No hacking tools required. Just a simple request playing on the fact that the receptionist is being helpful. Physical Baiting.
Training and education in IT Security is a key component of any security policy within an organisations workplace. Sometimes, the easiest route in is the least thought of and it pays to check your current policies and not just rely on your end point protection.